I signed up for github and notice the ssh key option which looked interesting. I originally expected something like an ssl key (name, co name, etc). After going through it i notice i only put a password and it is always myuser@comp-name (this is windows). Why? I thought it was a user/pass id and i can create separate keys for separate purpose for privacy reasons.

Now i see i am required to use one to create a repository. Also i see something about a 'private key file' when looking at options. What exactly is an SSH Key and how can i create a separate user without creating a separate login in windows.

Thats cool. Now i realize what was bothering me isnt an issue since name@comp is a comment and i can remove that to just use the key. The three i use (git gui, git/msysbash and puttyGen) all use random data. I cant create identical keys with long 30 character passwords? also the passphrase in puttygen seems to do absolutely nothing. So if i lose my key i can never sign again. I either need to backup carefully or store online someplace. That seems bad. Maybe i'll encrypt then upload it.
–
acidzombie24May 17 '10 at 8:03

1

Are you talking about the private key? If so, you're right, storing it online is a bad idea. It should never leave the computer it's generated on. I guess you could back it up somewhere but if you lose it, you can always make a new one, so it's not that big a deal. (well I suppose that depends on how willing you are to update the key on file at all the sites you log into)
–
David ZMay 17 '10 at 8:08

@David: Oh. yeah, it could be that easy. I was thinking like pgp where other ppl need the public key and your not storing it somewhere. In the case of github i could always login and update the keys. I guess that isnt hard. But your saying they will use random data and i cant generate identical keys with the same phrase? It feels almost pointless to use a phrase. This has been helpful.
–
acidzombie24May 17 '10 at 8:29

@acidzombie24: There may be some misunderstandings here. "the passphrase in puttygen seems to do absolutely nothing" -> The passphrase is used to encrypt your private key, to protect your private key if it falls into the wrong hands. You can just omit the passphrase if you don't need the protection. The passphrase has nothing to do with the key authentication itself, so yes, if you lose the private key, you can never sign again (with that key). But you make (secure) backups of all your stuff anyway, dont't you? ;-)
–
sleskeMay 17 '10 at 8:42

@acidzombie24: "But your saying they will use random data and i cant generate identical keys with the same phrase?" Yes, a (private) key must use random data, otherwise it wouldn't be secure (b/c it would be easy to guess). And "generating identical keys" does not make sense; if you want an identical key, just copy it :-).
–
sleskeMay 17 '10 at 8:44

Have you heard of asymmetric encryption (also called public-key cryptography)? That's the technology that SSH keys are based on.

The basic concept of asymmetric encryption is that you have two cryptography keys, which are typically very large numbers (or equivalently, long strings of binary data). Any message encrypted with one of them can be decrypted only with the other one - not even with the original encyption key itself! This is useful because you can keep one of the keys, the private key, to yourself, and publish the other one, the public key, somewhere online or wherever you like. People can encrypt messages using the public key and be confident that only you, the holder of the corresponding private key, can decrypt them and read their contents. (This is how GPG and PGP and similar programs work, if you've ever heard of those)

It turns out that the process also works in reverse, with the keys switched. If you encrypt something using your private key, it can only be decrypted using the corresponding public key. This may seem useless because anyone in the world can get your public key and decrypt the message, but it does have one very useful side effect: it confirms that the message came from you. Because nobody else in the world has your private key, nobody else could have made a message that can be decrypted with your public key.

If you think about it, being able to verify that a message came from you and not from some impostor is exactly what authentication is all about. Every time you log into a website using a username and password, you're providing some secret information that supposedly only you know, in order to prove that the login request is coming from you. Well, you can do the same thing with your private key: encrypt your login request in order to prove that it comes from you. And that's how SSH key pair authentication works. Instead of you providing a username and password, the SSH server sends your SSH client a message to be encrypted with your private key. The client encrypts it, sends back the encrypted message, and the server decrypts it using your public key to check it. If it passes the check, congratulations, you're logged in!

I haven't signed up for GitHub myself (yet) so I'm not familiar with the exact procedure, but I suspect that when they ask for a username@host, that's just as a comment to identify the particular key. If you log into GitHub from different computers, you'll have a different SSH private key for each of those computers, and GitHub needs to keep track of all the corresponding public keys. The username@host is a pretty standard way to label SSH public keys that come from different people and/or different hosts.

By the way, it's worth mentioning that SSH key pair authentication is generally considered more secure than username/password authentication. The reason is that, when you use a username and password to log into a website, you have to share that information with at least one other computer: the web server that runs the site. Most of the time, that's fine, but it's always possible that whoever is in charge of the website, or even just someone who has access to the server, could be recording your password and using it behind your back to impersonate you. Using a private/public key pair eliminates that possibility, because you never share the private key with anyone at all, not even the server you're logging into. So, although the server (e.g. GitHub) is perfectly able to check whether it's really you logging in, it still doesn't have enough information to pretend to log in as you.

As for how you create an SSH key pair: I'm a Linux user myself, so I'm not sure how it'd be done with the software you're using on Windows. Whatever SSH client program you use (PuTTY?) should give you some way to create a key pair.